Auernheimer, known online by his handle "weev," struck an upbeat tone in a post-conviction tweet. "We went in knowing there would be a guilty here," he wrote. "I'm appealing of course."

The case began in 2010, when Auernheimer and a collaborator, Daniel Spitler, discovered a security vulnerability that affected iPad owners who signed up for AT&T's 3G service. A script on AT&T's servers would accept an iPad's ICC-ID—a unique identifier embedded in the device's microSIM card—and return that user's e-mail address. Unfortunately, ICC-IDs came in a predictable range, so Auernheimer was able to guess tens of thousands of ICC-IDs and retrieve the associated e-mail addresses.

Last year, the FBI concluded that the pair had committed a felony and arrested them. Chat logs obtained by the prosecution do not paint the pair in a flattering light. They discussed, but apparently did not carry out, a variety of schemes to use the harvested data for nefarious purposes such as spamming, phishing, or short-selling AT&T's stock. Ultimately, they decided that the approach that would bring the "max lols" would be to pass the information to the media in an effort to publicly embarrass AT&T.

In an interview with CNET, Auernheimer portrayed "Goatse Security" as a legitimate security research group. But in IRC chats he seemed to regard this characterization as mere "spin."

"At this point we won. we dropepd [sic] the stock price," Auernheimer wrote after the news of the hack was reported in the media. "Let's not like do anything else we f**king win and i get to like spin us as a legitimate security organization."

Spitler decided to plead guilty and cooperate with the government, so the trial focused on Auernheimer. On Tuesday, the jury handed down a guilty verdict. Auernheimer and Spitler are now awaiting sentencing. Auernheimer faces up to five years in prison and a $250,000 fine, according to Reuters.

"We disagree with the prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act," Auernheimer's attorney Tor Ekeland told Reuters in a phone interview.

Indeed, the contours of the nation's anti-hacking law, which dates to 1986, are far from clear. We've covered the prosecution of Aaron Swartz, who faces felony hacking charges for spidering articles from an academic repository. The Swartz case and the appeal of Auernheimer's conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.

Promoted Comments

There's changing URL query strings, and then there's programmatically scraping what are obviously not meant to be forward facing endpoints.

And on top of that, there's having damning evidence of intent to misuse the data gathered.

AT&T made a mistake, and I don't think they should get away for free on it. Granted, they didn't exactly get away free on it, at least economically, although that's of little meaning to anyone whose data was exposed. Personally identifiable data like this shouldn't have been exposed.

But AT&T's mistake or even possible ethical culpability (sadly there's no legal culpability usually for anything of this nature) does not somehow negate the wrongdoing of the defendants. This is not a zero sum game.

If they were acting as legitimate security professionals, they would have done enough work to determine the nature of the breach, then notified AT&T. Instead they gathered thousands of emails, then went on to discuss ways to profit from the clearly confidential data they'd gathered. Instead of directly profiting, they went on to publish it in a way which was clearly meant (especially from their recorded conversations) to cause harm. This is essentially intentional industrial sabotage, even if they didn't gain from it monetarily.

I'm all for having privacy laws that would punish companies who do not maintain at least baseline adequate security, but you can't just ignore malfeasance by other parties at the same time. Just because one party did something wrong (in this case, AT&T) in no way negates the intentional actions of another party/parties (Auernheimer and Spitler). And so far as the law goes, what Auernheimer and Spitler did is clearly covered, even if it's a case of the particular law being overly broad and used as a blanket to cover both cases which are clearly violations of the spirit governing it and sadly also those which probably should not be prosecutable. Personally I think this was a correct application of the law: the ethics of the case seem to align with the outcome, especially taking into account intent.

So, if I write a service RESTful service endpoint, /customeraccount/customerid, so that /customeraccount/001, returns some human readable account summary, and you change that URL to /customeraccount/002 and get customer #2's information, you are guilty of unauthorized access? No, I am guilty of providing unauthorized access to client data.

Suppose we change it to /customeraccount/customerid/customerpassword - for example /custumeraccount/001/passw0rd1. Now you try to get at customer #2s account, by guess their password, with a computer program - is that unauthorized access? Seems pretty clearly so.

Now suppose we use a scheme /customeraccount/customerguid - for example /customeraccount/3F2504E0-4F89-11D3-9A0C-0305E82C3301 . Now you try to get in to other accounts by guessing GUIDs. This will be even harder than the password guessing, but it seems many here at Ars would *not* consider this to be unauthorized access.

We erect electronic barriers to unathorized access, some are more effective than others. I'd argue that if the barrier is sufficiently high, such that in order to circumvent the barrier you need to use a computer, you are guilt of unauthorized access. If an unaided human can circumvent the barrier consistently in under a minute, well then I'd say that the provider of the information has not erected any sort of barrier, and that a reasonable person could assume that this is public information.

72 Reader Comments

Even though these guys sound like dicks, not sure what they did was all that wrong. All they got is a list of people's e-mail addresses -- that's it. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

Setup a server that responds to requests and sends info you were legally required to keep private. Someone figures out the request that gets that info. Send *that* person to prison, not the person who operated the server that was sharing the private info. So very backwards.

Even though these guys sound like dicks, not sure what they did was all that wrong. From what I remember, they got a list of people's e-mail addresses -- that's all. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web. When the page was given an ID, it would respond with an associated email for that ID. (The ID was the iPAD unique ID).

What they did was to iterate through every possible ID and grab emails that were returned.

Even though these guys sound like dicks, not sure what they did was all that wrong. All they got is a list of people's e-mail addresses -- that's it. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

No, but unauthorized access of a computer is illegal. That is what he was found guilty of.

Edit: to clarify, he was convicted of one count of identity fraud and one count of conspiracy to access a computer without authorization. Not sure where the identity fraud comes in since AFAIK he did not actually use the email addresses. Will have to read some more.

Even though these guys sound like dicks, not sure what they did was all that wrong. From what I remember, they got a list of people's e-mail addresses -- that's all. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web. When the page was given an ID, it would respond with an associated email for that ID. (The ID was the iPAD unique ID).

What they did was to iterate through every possible ID and grab emails that were returned.

Even though these guys sound like dicks, not sure what they did was all that wrong. From what I remember, they got a list of people's e-mail addresses -- that's all. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web. When the page was given an ID, it would respond with an associated email for that ID. (The ID was the iPAD unique ID).

What they did was to iterate through every possible ID and grab emails that were returned.

Even though these guys sound like dicks, not sure what they did was all that wrong. From what I remember, they got a list of people's e-mail addresses -- that's all. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web. When the page was given an ID, it would respond with an associated email for that ID. (The ID was the iPAD unique ID).

What they did was to iterate through every possible ID and grab emails that were returned.

They then went to the press with the exploit after gathering every email they could, and explained what they did.

Apologies if I have any details wrong here.

I don't see why that should be illegal. Is spidering the only legal way to browse the web? And is that what we want?

You really don't see a difference between what they did and browsing the web?

Edit: For those who might be coming late to the party and might want to respond to this comment without reading my later comments that include an analysis of the law in question, the answer to the above is intent.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web.

But was it publicly accessible via the internet when it was used by Auernheimer?

Let's say I up a webpage, accessible to anyone with an internet connection but without a published map of available URLs or directory listings, and behind the index.html page (which says, "Go away or I'll sue you!") I have a bunch of pages with sensitive information of my clients, organized in a methodical way that was easy to guess. The site has no other security mechanisms in place.

Are we expected to believe that a random user of the internet who stumbles on the site, guessing my "super-secret" URL scheme and accesses my client's sensitive information is breaking the law? Because, to me, that seems like a failure of my website, not hacking.

How is a person expected to know that what he or she accesses is *supposed* to be secured and inaccessible to the public. If the information isn't locked down, then it's fair game? I change URL query strings all the time to see what happens...

They hit a webpage built by AT&T that was not designed originally to be hit by the external web.

But was it publicly accessible via the internet when it was used by Auernheimer?

Let's say I up a webpage, accessible to anyone with an internet connection but without a published map of available URLs or directory listings, and behind the index.html page (which says, "Go away or I'll sue you!") I have a bunch of pages with sensitive information of my clients, organized in a methodical way that was easy to guess. The site has no other security mechanisms in place.

Are we expected to believe that a random user of the internet who stumbles on the site, guessing my "super-secret" URL scheme and accesses my client's sensitive information is breaking the law? Because, to me, that seems like a failure of my website, not hacking.

I totally agree with you, but I'm not the ones making the laws or sitting on the jury.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web.

But was it publicly accessible via the internet when it was used by Auernheimer?

Let's say I up a webpage, accessible to anyone with an internet connection but without a published map of available URLs or directory listings, and behind the index.html page (which says, "Go away or I'll sue you!") I have a bunch of pages with sensitive information of my clients, organized in a methodical way that was easy to guess. The site has no other security mechanisms in place.

Are we expected to believe that a random user of the internet who stumbles on the site, guessing my "super-secret" URL scheme and accesses my client's sensitive information is breaking the law? Because, to me, that seems like a failure of my website, not hacking.

No...but then if random user decides to create a script to grab as much of the information as they can, and then do so, and then conspire with another party to use that information fraudulently (even if they then decide to back out)...that is unauthorized access and conspiracy to commit fraud.

How hard can this be? They pretty much hung themselves when they decided to brag about it.

They want to shut down all non-government-employed-or-approved security researchers, so naturally they're starting with the least sympathetic. Of course this will just force all security expertise overseas, but that just proves that these prosecutors and their masters don't actually care about the security of the American public.

Even though these guys sound like dicks, not sure what they did was all that wrong. From what I remember, they got a list of people's e-mail addresses -- that's all. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web. When the page was given an ID, it would respond with an associated email for that ID. (The ID was the iPAD unique ID).

What they did was to iterate through every possible ID and grab emails that were returned.

They then went to the press with the exploit after gathering every email they could, and explained what they did.

Apologies if I have any details wrong here.

Thanks, but I know how they did it -- I could write the script to do that in two minutes myself. I was questioning who should be held accountable: AT&T for exposing sensitive information to the Internet, or these two guys who wrote a script that essentially just submitted a different query string to a URL thousands of times.

They hit a webpage built by AT&T that was not designed originally to be hit by the external web.

But was it publicly accessible via the internet when it was used by Auernheimer?

Let's say I up a webpage, accessible to anyone with an internet connection but without a published map of available URLs or directory listings, and behind the index.html page (which says, "Go away or I'll sue you!") I have a bunch of pages with sensitive information of my clients, organized in a methodical way that was easy to guess. The site has no other security mechanisms in place.

Are we expected to believe that a random user of the internet who stumbles on the site, guessing my "super-secret" URL scheme and accesses my client's sensitive information is breaking the law? Because, to me, that seems like a failure of my website, not hacking.

No...but then if random user decides to create a script to grab as much of the information as they can, and then do so, and then conspire with another party to use that information fraudulently (even if they then decide to back out)...that is unauthorized access and conspiracy to commit fraud.

How hard can this be? They pretty much hung themselves when they decided to brag about it.

I'm complete on board with the fraud argument or, more generally, with the argument that if they used the culled information in a malicious way that they should be held liable. In this case, that seems clear.

What I'm less clear on is whether that is really "unauthorized access." Where is that line crossed? By writing script? By the intent behind access?

Maybe this is made clear in the anti-hacking law, but I have concerns that it is overly broad. Punish the use of information, not accessing information that was made trivially accessible by an inept organization.

There's changing URL query strings, and then there's programmatically scraping what are obviously not meant to be forward facing endpoints.

And on top of that, there's having damning evidence of intent to misuse the data gathered.

AT&T made a mistake, and I don't think they should get away for free on it. Granted, they didn't exactly get away free on it, at least economically, although that's of little meaning to anyone whose data was exposed. Personally identifiable data like this shouldn't have been exposed.

But AT&T's mistake or even possible ethical culpability (sadly there's no legal culpability usually for anything of this nature) does not somehow negate the wrongdoing of the defendants. This is not a zero sum game.

If they were acting as legitimate security professionals, they would have done enough work to determine the nature of the breach, then notified AT&T. Instead they gathered thousands of emails, then went on to discuss ways to profit from the clearly confidential data they'd gathered. Instead of directly profiting, they went on to publish it in a way which was clearly meant (especially from their recorded conversations) to cause harm. This is essentially intentional industrial sabotage, even if they didn't gain from it monetarily.

I'm all for having privacy laws that would punish companies who do not maintain at least baseline adequate security, but you can't just ignore malfeasance by other parties at the same time. Just because one party did something wrong (in this case, AT&T) in no way negates the intentional actions of another party/parties (Auernheimer and Spitler). And so far as the law goes, what Auernheimer and Spitler did is clearly covered, even if it's a case of the particular law being overly broad and used as a blanket to cover both cases which are clearly violations of the spirit governing it and sadly also those which probably should not be prosecutable. Personally I think this was a correct application of the law: the ethics of the case seem to align with the outcome, especially taking into account intent.

[quote="DoomHamster]No...but then if random user decides to create a script to grab as much of the information as they can, and then do so, and then conspire with another party to use that information fraudulently (even if they then decide to back out)...that is unauthorized access and conspiracy to commit fraud.

How hard can this be? They pretty much hung themselves when they decided to brag about it.[/quote]

What you fail to realize is that laws are very literal. Yes, there is "spirit" in the law, and I believe that's what you're referring to here. The defendant may not have been complying with the "spirit" of the law, but he did not break any laws by typing a URL and scraping the response. Just because he scripted it doesn't make it hacking.

I have an S3 account where I have stored all my music. It's completely private. There are no indexed pages. I admin everything from Amazon's web app. I've shared some songs with friends, and in the process have had to expose those specific files to the Internet at large. Kind of like what AT&T did here...if someone randomly tries some URLs and can find them, wow, kudos. But it'd be my fault for not securing my stuff. If AT&T is supposed to be protecting privacy, they've failed massively. But, by that same token, AT&T likely hasn't broken any laws, either. They've broken trust with customers, though.

I'm complete on board with the fraud argument or, more generally, with the argument that if they used the culled information in a malicious way that they should be held liable. In this case, that seems clear.

What I'm less clear on is whether that is really "unauthorized access." Where is that line crossed? By writing script? By the intent behind access?

Maybe this is made clear in the anti-hacking law, but I have concerns that it is overly broad. Punish the use of information, not accessing information that was made trivially accessible by an inept organization.

Intent has always been a very important element of law. Clearly, the defendant in this case had malicious intent. Despite the fact that they did not use the email addresses maliciously, the entire act of accessing the data and releasing their results was malicious by their own admission. The chat logs are quite damning in that regard.

I believe that their access would fall under the descriptions given in section A subsections 4, 5 and 7:

Quote:

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. [2]

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any— (A) threat to cause damage to a protected computer; (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;

Notice how often intent/intentionally/knowingly crops up.

Now you might be tempted to say after reading this that this was not a "protected computer" (that was my initial thought). The law covers that in section E subsection 2b:

Quote:

(2) the term “protected computer” means a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

So it looks like the term "protected computer" does not mean "protected by security" but rather "belonging to a protected class of computers"...in this case, any computer that in any way effects interstate commerce..which, in the U.S. can mean just about anything.

So based on that, if you intentionally access unauthorized data and cause any damage or loss or threaten to do so on any computer belonging to the class of "protected computer", you are pooched.

Even though these guys sound like dicks, not sure what they did was all that wrong. All they got is a list of people's e-mail addresses -- that's it. Sure, they talked about doing illegal things with that list, but they didn't. Is an e-mail address personally protected information in the U.S.?

This just leaves a bad taste in my mouth.

No, but unauthorized access of a computer is illegal. That is what he was found guilty of.

Edit: to clarify, he was convicted of one count of identity fraud and one count of conspiracy to access a computer without authorization. Not sure where the identity fraud comes in since AFAIK he did not actually use the email addresses. Will have to read some more.

Curious if one could argue usage of the iPad IDs that should only be in use by the person who purchased the device counts as a personal identifier?

How is a person expected to know that what he or she accesses is *supposed* to be secured and inaccessible to the public. If the information isn't locked down, then it's fair game? I change URL query strings all the time to see what happens...

You could use your knowledge that a keypad entry system for many brands of garage doors is limited to numbers between 0001 and 9999 to systematically open them. Is anything you extract from the garage after exploiting this limitation considered "fair game"?

The court might not be convinced of your "intentions" if you engage in low-key experimentation like you are describing. The court may legitimately believe that you did not know what was going to happen and therefore did not intend any wrongdoing. Apparently, after 120,000 successful experiments and clearly documented understanding of what you are doing, the court no longer has any reasonable doubt that you intended to commit computer fraud/ID theft.

So, if I write a service RESTful service endpoint, /customeraccount/customerid, so that /customeraccount/001, returns some human readable account summary, and you change that URL to /customeraccount/002 and get customer #2's information, you are guilty of unauthorized access? No, I am guilty of providing unauthorized access to client data.

Suppose we change it to /customeraccount/customerid/customerpassword - for example /custumeraccount/001/passw0rd1. Now you try to get at customer #2s account, by guess their password, with a computer program - is that unauthorized access? Seems pretty clearly so.

Now suppose we use a scheme /customeraccount/customerguid - for example /customeraccount/3F2504E0-4F89-11D3-9A0C-0305E82C3301 . Now you try to get in to other accounts by guessing GUIDs. This will be even harder than the password guessing, but it seems many here at Ars would *not* consider this to be unauthorized access.

We erect electronic barriers to unathorized access, some are more effective than others. I'd argue that if the barrier is sufficiently high, such that in order to circumvent the barrier you need to use a computer, you are guilt of unauthorized access. If an unaided human can circumvent the barrier consistently in under a minute, well then I'd say that the provider of the information has not erected any sort of barrier, and that a reasonable person could assume that this is public information.

By putting something on the internet you are authorizing the public to access it. This is like putting up a flyer and then arresting people that read it.

I don't understand how getting a list of email addresses off a public website can result in 5 years in prison. That seems ridiculous to me.

You could easily walk up to someone's mailbox, open the mailbox, take out their credit card bill payment and have access to significant personal information... the mail box at your average house is plainly visible to the public, not particularly secure, and the payment stub is just a piece of a paper in an envelope. If its a roadside mailbox, you can do it without even being on someone else's property. Is it legal for you to do this?

Not sure where the identity fraud comes in since AFAIK he did not actually use the email addresses.

I would imagine that the ID fraud is the use of the ICC-ID. Each ID is for a specific iPad, and by spoofing that ID, you're essentially claiming to be the owner of the device in question.

taswyn wrote:

But AT&T's mistake or even possible ethical culpability (sadly there's no legal culpability usually for anything of this nature) does not somehow negate the wrongdoing of the defendants. This is not a zero sum game.

This.

Anyone else's culpability is completely irrelevant when discussing the culpability of the two individuals who performed this specific act. Those would be arguments for another case, should one materialize.

DoomHamster: thanks for the info and analysis. I was going to look this up on my lunch break and now I don't have to. Given all of that, it seems pretty straightforward and most of it even makes sense to me.

How is a person expected to know that what he or she accesses is *supposed* to be secured and inaccessible to the public. If the information isn't locked down, then it's fair game? I change URL query strings all the time to see what happens...

You could use your knowledge that a keypad entry system for many brands of garage doors is limited to numbers between 0001 and 9999 to systematically open them. Is anything you extract from the garage after exploiting this limitation considered "fair game"?

The court might not be convinced of your "intentions" if you engage in low-key experimentation like you are describing. The court may legitimately believe that you did not know what was going to happen and therefore did not intend any wrongdoing. Apparently, after 120,000 successful experiments and clearly documented understanding of what you are doing, the court no longer has any reasonable doubt that you intended to commit computer fraud/ID theft.

Yes, the first part is accurate, but the keypad is meant to restrict access. It's analogous to a username and password.

Regarding the second part, even though it came up in the discussion of what to do with the emails, they didn't commit any fraud.

By putting something on the internet you are authorizing the public to access it. This is like putting up a flyer and then arresting people that read it.

I don't understand how getting a list of email addresses off a public website can result in 5 years in prison. That seems ridiculous to me.

You could easily walk up to someone's mailbox, open the mailbox, take out their credit card bill payment and have access to significant personal information... the mail box at your average house is plainly visible to the public, not particularly secure, and the payment stub is just a piece of a paper in an envelope. If its a roadside mailbox, you can do it without even being on someone else's property. Is it legal for you to do this?

Your analogy is a pretty big leap. The big difference is that stealing, tampering with or even opening mail is a clear, long standing law. There is no ambiguity.

While these particular individuals seem totally screwed based on their chat logs, I think there is significant ambiguity about what would constitute protected information and whether a person could know before hand what is protected information versus unprotected information. If there isn't a clear way to differentiate between the two, I think it raises some issues about the quality of the law and whether it will hold up under judicial review.

DoomHamster: thanks for the info and analysis. I was going to look this up on my lunch break and now I don't have to. Given all of that, it seems pretty straightforward and most of it even makes sense to me.

The part that still troubles me is the overly vague definition of protected computer combined with the wording, "to obtain information from a protected computer without authorization." Under the law, it would seem that if you intentionally access information from a website controlled by a company that does business between states and the company didn't authorize that access, you would be in violation. You wouldn't even need to have malicious intent to run afoul.

In this case, all of my concerns are moot, given their chat logs. But let's say they didn't have incriminating chat logs, was the fact that they obtained the information enough to prosecute them?

You bet! I have learned quite a bit from this case myself. Reading the law actually makes me feel better about the whole thing because it seems pretty clear that it is incumbent upon the prosecution's ability to prove intent. Every single definition in section (a) specifies that the defendant must have knowingly accessed unauthorized data or had intent to defraud:

Quote:

(1) having knowingly accessed a computer without authorization or exceeding authorized access...(2) intentionally accesses a computer without authorization or exceeds authorized access...(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States...(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access...(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization...(5)(B) intentionally accesses a protected computer without authorization...(5)(C) intentionally accesses a protected computer without authorization...(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization...(7) with intent to extort from any person any money or other thing of value...

Given the above and reading the chat logs, I think it is clear that the defendant's hubris was his downfall. I have no fear of accidentally running afoul of this law. At least, no more so than I do of accidentally running afoul of any other.

... I think there is significant ambiguity about what would constitute protected information and whether a person could know before hand what is protected information versus unprotected information.

It's not particularly ambiguous in this instance.

The information was supposed to require the use of a specific piece of equipment to access, and then was only supposed to access information belonging to the owner of the individual device accessing it.

The fact that you could spoof such a device is only relevant as regards the fact that one would have to have the knowledge that the information was only meant to be accessed by such, which knowledge would be required before one could then go ahead and do so.

This wasn't an accidental exposure; the individuals willfully circumvented the (admitted laughable) security measures in place, and it would take some contortionist mental gymnastics to argue otherwise..

So, if I write a service RESTful service endpoint, /customeraccount/customerid, so that /customeraccount/001, returns some human readable account summary, and you change that URL to /customeraccount/002 and get customer #2's information, you are guilty of unauthorized access? No, I am guilty of providing unauthorized access to client data.

Suppose we change it to /customeraccount/customerid/customerpassword - for example /custumeraccount/001/passw0rd1. Now you try to get at customer #2s account, by guess their password, with a computer program - is that unauthorized access? Seems pretty clearly so.

Now suppose we use a scheme /customeraccount/customerguid - for example /customeraccount/3F2504E0-4F89-11D3-9A0C-0305E82C3301 . Now you try to get in to other accounts by guessing GUIDs. This will be even harder than the password guessing, but it seems many here at Ars would *not* consider this to be unauthorized access.

We erect electronic barriers to unathorized access, some are more effective than others. I'd argue that if the barrier is sufficiently high, such that in order to circumvent the barrier you need to use a computer, you are guilt of unauthorized access. If an unaided human can circumvent the barrier consistently in under a minute, well then I'd say that the provider of the information has not erected any sort of barrier, and that a reasonable person could assume that this is public information.

I think the important thing is that the law unambiguously defines what is acceptable and unacceptable conduct, a point on which the current law may fall short. From my standpoint, your serial account id case would be clearly acceptable and your password and GUID cases would be clearly unacceptable. However, I am unsure of how the law would treat that activity.

An extreme example: a company publishes all of their stories on the web, viewable by month at the URL /stories/YYYYMM/ But their web UI only allows you to view the last three month's stories. Would I be breaking the law (by knowingly accessing information of value) because I typed into my web browser /stories/200512/? Would it depend on whether the company considered that activity "unauthorized"?

Edit: this actually comes up in one real world example that I can think of. The NYTimes paywall depends on GET data posted to the end of a URL. Strip the GET data off and you've circumvented their paywall. Various tools exist to automate this and the trick is widely known in the webz. Is it hacking?

So, if I write a service RESTful service endpoint, /customeraccount/customerid, so that /customeraccount/001, returns some human readable account summary, and you change that URL to /customeraccount/002 and get customer #2's information, you are guilty of unauthorized access? No, I am guilty of providing unauthorized access to client data.

Suppose we change it to /customeraccount/customerid/customerpassword - for example /custumeraccount/001/passw0rd1. Now you try to get at customer #2s account, by guess their password, with a computer program - is that unauthorized access? Seems pretty clearly so.

Now suppose we use a scheme /customeraccount/customerguid - for example /customeraccount/3F2504E0-4F89-11D3-9A0C-0305E82C3301 . Now you try to get in to other accounts by guessing GUIDs. This will be even harder than the password guessing, but it seems many here at Ars would *not* consider this to be unauthorized access.

We erect electronic barriers to unathorized access, some are more effective than others. I'd argue that if the barrier is sufficiently high, such that in order to circumvent the barrier you need to use a computer, you are guilt of unauthorized access. If an unaided human can circumvent the barrier consistently in under a minute, well then I'd say that the provider of the information has not erected any sort of barrier, and that a reasonable person could assume that this is public information.

You seem to be assuming there can be only one guilty party. I would say that AT&T is guilty of negligence, and these guys are guilty of unauthorized access. There's enough guilt to go around.

If you leave your house unlocked, you may be guilty of being a moron, but that doesn't mean that thieves who break in are not guilty of trespass, breaking and entering, etc.

... I think there is significant ambiguity about what would constitute protected information and whether a person could know before hand what is protected information versus unprotected information.

It's not particularly ambiguous in this instance.

The information was supposed to require the use of a specific piece of equipment to access, and then was only supposed to access information belonging to the owner of the individual device accessing it.

The fact that you could spoof such a device is only relevant as regards the fact that one would have to have the knowledge that the information was only meant to be accessed by such, which knowledge would be required before one could then go ahead and do so.

This wasn't an accidental exposure; the individuals willfully circumvented the (admitted laughable) security measures in place, and it would take some contortionist mental gymnastics to argue otherwise..

^-.-^

No arguments from me there. I'm not defending these guys and I think their conviction was proper. I'm playing a "what if" game here, trying to figure out how far this law could be taken.

Who gave out the predictable shitty UUIDs that are easy to crack? It's like keeping the same key for all houses in the neighborhood. If one neighbor goes into another's house using his key, i think the builder should be punished as well, not just the guy that took advantage of it. I am surprised people can so easily overlook incompetencies like these

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.